Linksys SPA2102-AU User manual
Corporate Headquarters
Linksys
121 Theory Drive
Irvine, CA 92617
USA
http://www.linksys.com
Tel: 949 823-1200
800 546-5797
Fax: 949 823-1100
Linksys SPA Provisioning Guide
Version 3.0
Linksys SPA Provisioning Guide
Copyright ©2007 Cisco Systems, Inc. All rights reserved.Specifications are subject to change without notice. Linksysis a registered trademark or trademark of Cisco Systems,
Inc. and/or its affiliates in the U.S. and certain other countries. Other brands and product names are trademarks or registered trademarks of their respective holders.
Disclaimer – Please Read:
This document contains implementation examples and techniques using Linksys, a division of Cisco Systems, Inc. and, in some instances, other company’s technology and
products and is a recommendation only and does not constitute any legal arrangement between Linksys, a division of Cisco Systems, Inc. and the reader, either written or
implied. The conclusions reached and recommendations and statements made are based on generic network, service and application requirements and should be regarded as
a guide to assist you in forming your own opinions and decision regarding your particular situation. As well, Linksys reserves the right to change the features and
functionalities for products described in this document at any time. These changes may involve changes to the described solutions over time.
Use of Proprietary Information and Copyright Notice:
This document contains proprietary information that is to be used only by Linksys customers. Any unauthorized disclosure, copying, distribution, or use of this information
is prohibited.
iii
Linksys SPA Provisioning Guide
Version 3.0
CONTENTS
Preface vii
Document Audience vii
Linksys VoIP Products vii
How This Document is Organized viii
Document Conventions viii
Related Documentation ix
Technical Support ix
CHAPTER
1Provisioning Linksys VoIP Devices 1-1
Residential Deployment Provisioning Requirements 1-1
Remote Endpoint Control 1-2
Communication Encryption 1-2
Provisioning Overview 1-2
Initial Provisioning 1-3
Deploying RC Units 1-3
Redundant Provisioning Servers 1-4
Retail Provisioning 1-4
Automatic In-House Preprovisioning 1-5
Configuration Access Control 1-5
SPA Configuration Profiles 1-5
SPA Provisioning Flow 1-6
Using HTTPS 1-8
How HTTPS Works 1-8
Server Certificates 1-9
Client Certificates 1-9
Linksys Certificate Chain Structure 1-9
Provisioning Setup 1-10
License Keys 1-11
Software Tools 1-11
Server Configuration 1-11
TFTP 1-12
HTTP 1-12
Contents
iv
Linksys SPA Provisioning Guide Version 3.0
Enabling HTTPS 1-13
Syslog Server 1-15
Where to Go From Here 1-15
CHAPTER
2Creating Provisioning Scripts 2-1
SPA Configuration File 2-1
Open Format Configuration File 2-2
Configuration File Compression 2-5
File Encryption 2-5
SPA Configuration Profile Compiler 2-6
Proprietary Plain-Text Configuration File 2-8
Source Text Syntax 2-8
Comments 2-9
Macro Expansion 2-9
Conditional Expressions 2-10
Assignment Expressions 2-11
URL Syntax 2-12
Optional Resync Arguments 2-12
key 2-13
post 2-13
alias 2-13
Combining Options 2-14
Using Provisioning Parameters 2-15
General Purpose Parameters 2-15
Enables 2-15
Triggers 2-16
Configurable Schedules 2-16
Profile Rules 2-17
Report Rule 2-19
Upgrade Rule 2-19
Data Types 2-20
CHAPTER
3Provisioning Tutorial 3-1
Preparation 3-1
Basic Resync 3-2
TFTP Resync 3-2
Syslog 3-3
Automatic Resync 3-4
Contents
v
Linksys SPA Provisioning Guide
Version 3.0
Unique Profiles and Macro Expansion 3-5
URL Resolution 3-5
HTTP GET Resync 3-6
Secure Resync 3-7
Basic HTTPS Resync 3-7
HTTPS With Client Certificate Authentication 3-9
HTTPS Client Filtering and Dynamic Content 3-9
Profile Formats 3-10
Profile Compression 3-10
Profile Encryption 3-11
Partitioned Profiles 3-12
Parameter Name Aliases 3-12
Proprietary Profile Format 3-13
CHAPTER
4Provisioning Field Reference 4-1
Configuration Profile Parameters 4-1
Firmware Upgrade Parameters 4-4
General Purpose Parameters 4-6
Macro Expansion Variables 4-7
Internal Error Codes 4-9
APPENDIX
AAcronyms
APPENDIX
BGlossary
APPENDIX
CExample SPA Configuration Profile
I
NDEX
Contents
vi
Linksys SPA Provisioning Guide Version 3.0
vii
Linksys SPA Provisioning Guide
Version 3.0
Preface
This guide describes the provisioning of Linksys Voice over IP (VoIP) products. It contains the following
sections:
• Document Audience, page vii
• Linksys VoIP Products, page vii
• How This Document is Organized, page viii
• Document Conventions, page viii
• Related Documentation, page ix
• Technical Support, page ix
Document Audience
This document is written for service providers who offer services using Linksys VoIP products and
specifically for administrative staff responsible for remote provisioning and preprovisioning Linksys
devices.
Linksys VoIP Products
The following summarizes the Linksys VoIP products that can be remotely provisioned or
preprovisioned using the information provided in this document.
• SPA9000—IP PBX with Auto-Attendant; can beused with the SPA400, which provides a SIP-PSTN
gateway
• Linksys Analog Telephone Adapters (ATAs):
• PAPT2T—Voice adapter with two FXS ports
• SPA1001—Small VoIP adapter
• SPA2102—Voice adapter with router
• SPA3102—Voice adapter with router and PSTN gateway
• RTP300—IP router with two FXS ports
• WRTP54G—Wireless-G IP router with two FXS ports
viii
Linksys SPA Provisioning Guide Version 3.0
Preface
How This Document is Organized
• SPA900 Series IP phones:
• SPA901—One line, small, affordable, no display
• SPA921—One-line business phone
• SPA922—One-line business phone with Power over Ethernet (PoE) support and an extra
Ethernet port for connecting another device to the LAN
• SPA941—Default is two lines, upgradeable to four lines
• SPA942—Default is two lines, upgradeable to four lines. Power over Ethernet (PoE) support
and an extra Ethernet port for connecting another device to the LAN
• SPA962—Six lines, hi-res color display. Power over Ethernet (PoE) support and an extra
Ethernet port for connecting another device to the LAN
Note A Linksys VoIP device that supports the remote provisioning options described in this document is
referred to generically as a SPA.
How This Document is Organized
This document is divided into the following chapters and appendices.
Document Conventions
The following are the typographic conventions used in this document.
Chapter Contents
Chapter 1, “Provisioning
Linksys VoIP Devices” This chapter introduces Linksys VoIP products.
Chapter 2, “Creating
Provisioning Scripts” This chapter describes how to work with Linksys provisioning
scripts and configuration profiles.
Chapter 3, “Provisioning
Tutorial” This chapter provides step-by-step procedures for using the
scripting language to create a configuration profile.
Chapter 4, “Provisioning Field
Reference” This chapter provides a systematic reference for each parameter on
the Provisioning tab of the administration web server.
Appendix A, “Acronyms” This appendix provides the expansion of acronyms used in this
document.
Appendix B, “Glossary” This appendix defines the terms used in this document.
Typographic Element Meaning
Boldface Indicates an option on a menu or a literal value to be entered in a field.
<parameter> Angle brackets (<>) are used to identify parameters that appear on the
configuration pages of the Linksys device administration web server. The
index at the end of this document contains an alphabetical listing of each
parameter, hyperlinked to the appropriate table in Chapter 4, “Provisioning
Field Reference”
ix
Linksys SPA Provisioning Guide
Version 3.0
Preface Related Documentation
Related Documentation
The following documentation provides additional information about features and functionality of
Linksys ATAs:
• AA Quick Guide
• IVR Quick Guide
• SPA Provisioning Guide
The following documentation describes how to use other Linksys Voice System products:
• SPA9000 Administrator Guide
• LVS CTI Integration Guide
• LVS Integration with ITSP Hosted Voicemail Guide
• SPA900 Series IP Phones Administrator Guide
• SPA 2.0 ATA Administrator Guide
• Linksys Voice over IP Product Guide: SIP CPE for Massive Scale Deployment
Technical Support
Technical support contact information for authorized Linksys Voice System partners is as follows:
• LVS Phone Support (requires an authorized partner PIN)
888 333-0244 Hours: 4am-6pm PST, 7 days a week
• E-mail support
voipsupport@linksys.com
Italic Indicates a variable that should be replaced with a literal value.
Monospaced Font Indicates code samples or system output.
Typographic Element Meaning
x
Linksys SPA Provisioning Guide Version 3.0
Preface
Technical Support
1-1
Linksys SPA Provisioning Guide
Version 3.0
CHAPTER
1
Provisioning Linksys VoIP Devices
This chapter describes the features and functionality available when provisioning Linksys VoIP devices
and explains the setup required. It includes the following sections:
• Residential Deployment Provisioning Requirements, page 1-1
• Provisioning Overview, page 1-2
• Configuration Access Control, page 1-5
• Using HTTPS, page 1-8
• Provisioning Setup, page 1-10
• Where to Go From Here, page 1-15
Note A Linksys VoIP device is generically referred to in this document as a SPA. Unless otherwise noted, the
instructions in this document apply equally to the SPA9000, Linksys Analog Telephone Adapters
(ATAs), and SPA900 Series IP phones.
Residential Deployment Provisioning Requirements
Linksys ATAs, such as the PAP2T, are primarily intended for high-volume deployments by VoIP service
providers to residential and small business customers. In this scenario, units are likely to be widely
distributed across the Internet, connected through routers and firewalls at the customer premises.
Further, ATAs can also serve as terminal nodes in business or enterprise environments, where the units
may be operated within a self-contained LAN environment.
The ATA can be seen as a remote extension of the service provider back-end equipment. In essence, it
replaces the traditional physical analog telephone line connection from a customer premise to a central
office with a virtual connection, which relies on broadband Internet service to extend the central office
phone line termination into the customer premises.
The ATA can assume responsibility for many of the functions that were traditionally handled at the
central office. At a minimum, the ATA serves as a media conversion endpoint, offering the consumer a
telephone port analogous to a traditional phone line terminal.
Remote management and configuration is required to efficiently ensure proper operation of the ATA at
the customer premises. ATA configuration varies according tothe individual customer and with the same
customer over a period of time.
1-2
Linksys SPA Provisioning Guide Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices
Provisioning Overview
The ATA must be configured to match the account service parameters for the individual customer. Also,
configuration may need to be modified because of newly introduced service provider features,
modifications in the service provider network, or firmware upgrades in the endpoint.
This customized, ongoing configuration is supported by the following features of Linksys ATAs:
• Reliable remote control of the endpoint,
• Encryption of the communication controlling the endpoint,
• Streamlined endpoint account binding.
Remote Endpoint Control
The service provider must be able to modify configuration parameters in the ATA after the unit has been
deployed to the customer premises. The service provider must also be able to upgrade the endpoint
firmware remotely, and both of these operations must be reliable.
In a residential deployment, the endpoint itself is typically connected in a local network, and accesses
the Internet through a router using network address translation (NAT). For enhanced security, the router
may attempt to block unauthorized incoming packets by implementing symmetric NAT, a packet
filtering strategy which severely restricts the packets that are allowed to enter the protected network
from the Internet.
Communication Encryption
The configuration parameters communicated to the endpoint may contain authorization codes or other
information should not be revealed to the customer. This may be required to protect the service provider
from unauthorized activity by the customer. It is also necessary to protect the customer from
unauthorized use of the account by other customers.
For this reason, the service provider may wish to encrypt the configuration profile communication
between the provisioning server and the endpoint, in addition to restricting access to the ATA
administration web server.
Provisioning Overview
Linksys VoIP products support secure remote provisioning and firmware upgrades. Configuration
profiles can be generated using common, open source tools, facilitating integration into service provider
provisioning systems. Supported transport protocols include TFTP, HTTP, and HTTPS with client
certificates. Linksys provisioning solutions are designed for high-volume residential deployment, where
each SPA typically resides in a separate LAN environment connected to the Internet with a NAT device.
Note This Provisioning Guide is intended to supplement the product administration guides, which provide
definitions and usage guidelines for each parameter available for a specific device.
The SPA can be configured to resync its internal configuration state to a remote profile periodically and
on power up. Starting with firmware release 2.0, 256-bit symmetric key encryption of profiles is
supported. In addition, an unprovisioned SPA can receive an encrypted profile specifically targeted for
that device without requiring an explicit key. Release 2.0 supports a secure first-time provisioning
mechanism using SSL functionality.
1-3
Linksys SPA Provisioning Guide
Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices Provisioning Overview
Note Remote customization (RC) units are introduced with Release 5.x. RC units are customized by Linksys
so when the unit is started, it tries to contact the Linksys provisioning server to download its customized
profile.
User intervention is not required to initiate or complete a profile update or firmware upgrade. Remote
firmware upgrade is achieved via TFTP or HTTP, but not using HTTPS because the firmware does not
contain sensitive information that can be read by a customer. The SPA upgrade logic is capable of
automating multi-stage upgrades, if intermediate upgrades are required to reach a future upgrade state
from an older release. .A profile resync is only attempted when the SPA is idle, because this may trigger
a software reboot.
General purpose parameters are provided to help service providers manage the provisioning process.
Each SPA can be configured to periodically contact a normal provisioning server (NPS). Communication
wit the NPS does not require the use of a secure protocol because the updated profile is encrypted by a
shared secret key. The NPS can be a standard TFTP, HTTP or HTTPS server.
Initial Provisioning
Linksys ATAs provide convenient mechanisms for initial provisioning, based on two deployment
models:
• Retail distribution, where the customer purchases the ATA separately from the VoIP service
• Bulk distribution, where the service provider issues the ATA to the customer as part of the VoIP
service contract
In the first model, the customer purchases the ATA from a retail outlet, and subsequently requests VoIP
service from the service provider, for use with that adapter. The service provider must then support
secure remote configuration of the unit.
In the second model, the service provider acquires adapters in bulk quantity, and either preprovisions the
adapters in-house or purchases RC units from Linksys.
Deploying RC Units
The in-house preprovisioning step can be eliminated by using RC units. Customization of RC units
reduces the need to handle the units prior to shipping to end customers. It also discourages the use of the
SPA with a different service.
The MAC address of each RC unit is associated with a customized profile for the customer who
purchased each unit on a provisioning server maintained by Linksys. The RC unit is preprovisioned by
Linksys with the connection information for the Linksys provisioning server. When the RC unit is
started, it tries to contact the Linksys provisioning server and download its customized profile.
The status of customization for an RC unit can be determined by viewing the Customization parameter
in the Product Information section of the Info tab. An RC unit that has not been provisioned displays
Pending. An RC unit that has been provisioned displays the name of the company that owns the unit. If
the unit is not an RC unit the web page displays Not Customized.
Linksys offers RC units to service providers for volume deployments of SPA endpoints. Through
customization, the manufacturing default values of a select number of parameters can be customized to
meet the needs of individual service providers.
1-4
Linksys SPA Provisioning Guide Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices
Provisioning Overview
The following is a sample template for an RC unit:
Restricted Access Domain "domain.com, domain1.com, domain2.com";
Primary_DNS * "x.y.w.z";
Secondary_DNS * "a.b.c.d";
Provision_Enable * "Yes";
Resync_Periodic * "30";
Resync_Error_Retry_Delay * "30";
Profile_Rule * "http://prov.domain.com/sipura/profile?id=$MA";
The Restricted Access Domain parameter is configured with the actual domain names of up to a
maximum of five domains. The Primary_DNS and Secondary_DNS parameters are configured with the
actual domain names or IP addresses of the DNS servers available to the RC unit.
Redundant Provisioning Servers
The provisioning server may be specified as an IP address or as a fully qualified domain name (FQDN).
The use of a FQDN facilitates the deployment of redundant provisioning servers. When the provisioning
server is identified through a FQDN, the SPA attempts to resolve the FQDN to an IP address through
DNS. Only DNS A-records are supported for provisioning; DNS SRV address resolution is not available
for provisioning. The SPA continues to process A-records until the first server responds. If no server
associated with the A-records responds, the SPA logs an error to the syslog server.
Retail Provisioning
The SPA firmware includes an administration web server that displays SPA internal configuration and
accepts new configuration parameter values. The server also accepts a special URL command syntax for
performing remote profile resync and firmware upgrade operations.
In a retail distribution model, a customer purchases a Linksys voice endpoint device, and subsequently
subscribes to a particular service. The customer first signs on to the service and establishes a VoIP
account, possibly through an online portal. Subsequently, the customer binds the particular device to the
assigned service account.
To do so, the unprovisioned SPA is instructed to resync with a specific provisioning server through a
resync URL command. The URL command typically includes an account PIN number or alphanumeric
code to associate the device with the new account.
In the following example, a device at the DHCP-assigned IP address 192.168.1.102 is instructed to
provision itself to the SuperVoIP service:
http://192.168.1.102/admin/resync?https://prov.supervoip.com/linksys-init/1234abcd
In this example, 1234abcd is the PIN number of the new account. The remote provisioning server is
configured to associate the SPA that is performing the resync request with the new account, based on the
URL and the supplied PIN. Through this initial resync operation, the SPA is configured in a single step,
and is automatically directed to resync thereafter to a permanent URL on the server. For example:
https://prov.supervoip.com/linksys
For both initial and permanent access, the provisioning server relies on the SPA client certificate for
authentication and supplies correct configuration parameter values based on the associated service
account.
1-5
Linksys SPA Provisioning Guide
Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices Provisioning Overview
Automatic In-House Preprovisioning
Using the administration web server and issuing a resync URL is convenient for a customer in the retail
deployment model, but it is not as convenient for preprovisioning a large number of units.
The SPA supports a more convenient mechanism for in-house preprovisioning. With the factory default
configuration, a SPA automatically tries to resync to a specific file on a TFTP server, whose IP address
is offered as one of the DHCP-provided parameters. This lets a service provider connect each new SPA
to a LAN environment configured to preprovision SPAs. Any new SPA connected to this LAN
automatically resyncs to the local TFTP server, initializing its internal state in preparation for
deployment. Among other parameters, this preprovisioning step configures the URL of the SPA
provisioning server.
Subsequently, when a new customer signs up for service, the preprovisioned SPA can be simply bar-code
scanned, to record its MAC address or serial number, before being shipped to the customer. Upon
receiving the unit, the customer connects the unit to the broadband link, possibly through a router. On
power-up the SPA already knows the server to contact for its periodic resync update.
Configuration Access Control
Besides configuration parameters that control resync and upgrade behavior, the SPA provides
mechanisms for restricting end-user access to various parameters.
The SPA firmware provides specific privileges for login to a User account and an Admin account. The
Admin account is designed to give the service provider configuration access to the SPA, while the User
account is designed to give limited and configurable control to the end user of the device.
The User account provides access to basic interactive voice response (IVR) functions and to a subset of
the administration web server parameters. The Admin account provides full access to all IVR functions
and to all administration web server parameterse.
The User and Admin accounts can be independently password protected. The configuration parameters
available to the User account are completely configurable in the SPA, on a parameter-by-parameter
basis. Optionally, user access to the SPA administration web server can be totally disabled. The
manufacturing reset control using the IVR can also be disabled, via provisioning.
The Internet domains accessed by the SPA for resync, upgrades, and SIP registration for Line 1 can be
restricted. These and other features are described in detail in administration guides for each product.
SPA Configuration Profiles
The SPA configuration profile defines the parameter values for a specific SPA device. The configuration
profile can be used in two formats:
• Open (XML-style) format
• Proprietary, plain-text format
The XML-style format lets you use standard tools to compile the parameters and values. To protect
confidential information contained in the configuration profile, this type of file is generally delivered
from the provisioning server to the SPA over a secure channel provided by HTTPS.
The plain-text configuration file uses a proprietary format, which can be encrypted to prevent
unauthorized use of confidential information. By convention, the profile is named with the extension
.cfg (for example, spa2102.cfg). The Linksys Profile Compiler (SPC) tool is provided for compiling the
1-6
Linksys SPA Provisioning Guide Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices
SPA Provisioning Flow
plain-text file containing parameter-value pairs into an encrypted CFG file. The SPC tool is available
from Linksys for the Win32 environment (spc.exe) and Linux-i386-elf environment
(spc-linux-i386-static). Availability of the SPC tool for the OpenBSD environment is available on a
case-by-case basis.
SPA Provisioning Flow
Firmware release 1.0 provides basic features in support of secure provisioning. This section describes
the high-level provisioning flow supported by release 1.0 in the context of a service provider application.
The SPA provisioning flow is illustrated in Figure 1-1.
Figure 1-1 SPA Provisioning Flow
1-7
Linksys SPA Provisioning Guide
Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices SPA Provisioning Flow
At a high level, the provisioning process involves four provisioning states described in Table 1-1.
Table 1-1 Provisioning States
Flow Step Step Description
MFG-RESET Manufacturing reset
Performing manufacturing reset on the SPA returns the device to a fully
unprovisioned state. All configurable parameters regain their manufacturing
default values.
Manufacturing reset can be performed from any state through the IVR sequence
****RESET#1#
Allowing the end user to perform manufacturing reset guarantees that the device
can always be returned to an accessible state.
SP-CUST Service provider customization
The provisioning parameters are customized for a particular service provider
network. The Profile_Rule parameter must be configured in this step to point to
a device specific configuration profile, using a service provider specific
provisioning server.
This can be accomplished in one of three ways:
• Auto-configuration via local DHCP server. A TFTP server name or IPv4
address is specified by DHCP on he local network. The indicated TFTP
server carries the desired Profile_Rule entry in the CFG file /spa2102.cfg
• Enter a resync URL. An end-user opens a browser onto the SPA web server,
explicitly requesting a resync to a specific TFTP server, using this URL
syntax: http://x.x.x.x/admin/resync?prvserv/spa2102.cfg where x.x.x.x is
the IP address of the specific SPA and prvserv is the target TFTP server,
followed by a profile path.
• Edit Profile_Rule parameter. Open the provisioning pane on the SPA web
interface, and enter the TFTP URL in the Profile_Rule parameter: for
example, prserv/spa2102.cfg.
The spa2102.cfg file modifies the Profile_Rule to contact a specific TFTP
server, and request a MAC-address specific CFG file. For example, the
following entry contacts a specific provisioning server, requesting a new
profile unique to this unit:
Profile_Rule tftp.callme.com/profile/$MA/spa2102.cfg;
1-8
Linksys SPA Provisioning Guide Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices
Using HTTPS
Using HTTPS
The SPA provides a reliable and secure provisioning strategy based on HTTPS requests from the SPA to
the provisioning server, using both server and client certificates for authenticating the client to the server
and the server to the client.
To use HTTPS with Linksys SPA units, you must generate a Certificate Signing Request (CSR) and
submit it to Linksys. Linksys generates a certificate for installation on the provisioning server that is
accepted by the SPA units when they seek to establish an HTTPS connection with the provisioning
server. This procedure is described in the “Enabling HTTPS” section on page 1-13.
How HTTPS Works
Starting with firmware release 2.0.6 , the SPA implements SSL, which lets the SPA client to connect to
servers using HTTPS.
HTTPS encrypts the communication between the client and the server, protecting the message contents
from other intervening network devices. The encryption method for the body of the communication
between client and server is based on symmetric key cryptography. With symmetric key cryptography,
a single secret keyis shared by the client and the server over a secure channel protected by Public/Private
key encryption.
Messages encrypted by the secret key can only be decrypted using the same key. HTTPS supports a wide
range of symmetric encryption algorithms. The SPA implements up to 256-bit symmetric encryption,
using the American Encryption Standard (AES), in addition to 128-bit RC4.
HTTPS also provides for the authentication of the server and the client engaged in a secure transaction.
This feature ensures that the provisioning server and an individual client cannot be spoofed by other
devices on the network. This is an essential capability in the context of remote endpoint provisioning.
SEC-PRV-1 Secure Provisioning—Initial Configuration
The initial device-unique CFG file should be targeted to each SPA by compiling
the CFG file with the spc --target option. This provides an initial level of
encryption that does not require the exchange of keys.
The initial device-unique CFG file should reconfigure the profile parameters to
enable stronger encryption, by programming a 256-bit encryption key, and
pointing to a randomly generated TFTP directory. For example, the CFG file
might contain:
Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg;
GPP_A 8e4ca259…; # 256 bit key
GPP_B Gp3sqLn…; # random CFG file path directory
SEC-PRV-2 Secure Provisioning—Full Configuration
The subsequent profile resync operations retrieve 256-bit encrypted CFG files,
which maintain the SPA in a state synchronized to the provisioning server.
All remaining SPA parameters are configured and maintained through this
strongly encryptedprofile. The encryption key and random directory location can
be changed periodically for extra security.
Table 1-1 Provisioning States (continued)
1-9
Linksys SPA Provisioning Guide
Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices Using HTTPS
Server and client authentication is performed using public/private key encryption, using certificates
containing the public key. Text encrypted with a public key can be decrypted only by its corresponding
private key (and vice versa). The SPA supports the RSA algorithm for public/private key cryptography.
Certificates are authenticated in the context of a certificate chain. A certificate authority lies at the root
of the chain, with all other certificates depending on the root authority for authority.
Server Certificates
Each secure provisioning server is issued an SSL server certificate, directly signed by Linksys. The
firmware running on the SPA clients recognizes only these certificates as valid. The clients try to
authenticate the server certificate when connecting via HTTPS, and reject any server certificate not
signed by Linksys.
This mechanism protects the service provider from unauthorized access to the SPA endpoint, or any
attempt to spoof the provisioning server. This might allow the attacker to reprovision the SPA, to gain
configuration information, or to use a different VoIP service. Without the private key corresponding to
a valid server certificate, the attacker is unable to establish communication with a Linksys SPA.
Client Certificates
In addition to a direct attack on the SPA, an attacker might attempt to contact a provisioning server using
a standard web browser, or other HTTPS client, to obtain the SPA configuration profile from the
provisioning server. To prevent this kind of attack, each SPA also carries a unique client certificate, also
signed by Linksys, including identifying information about each individual endpoint. A certificate
authority root certificate capable of authenticating the device client certificate is given to each service
provider. This authentication path allows the provisioning server to reject unauthorized requests for
configuration profiles.
Linksys Certificate Chain Structure
The combination of server certificates and client certificates ensures the secure communication between
a remote SPA and its provisioning server. Figure 1-2 illustrates the relationship and placement of
certificates, public/private key pairs, and signing root authorities, among the Linksys client, the
provisioning server, and the Linksys certification authority.
The upper half of the diagram shows the Linksys Provisioning Server Root Authority, used to sign
individual provisioning server certificates. The corresponding root certificate is compiled into all
firmware releases at or above 2.0.6, allowing the SPA endpoints to authenticate authorized provisioning
servers.
1-10
Linksys SPA Provisioning Guide Version 3.0
Chapter 1 Provisioning Linksys VoIP Devices
Using HTTPS
Figure 1-2 SPA Configuration and Provisioning Certificate Chain
As indicated in the lower half of the diagram, a Linksys Client Certificate Root Authority signs each
unique certificate. The corresponding root certificate is made available to service providers for client
authentication purposes.
Sipura Technology, Inc
Client Certificate Root Authority 1
Sipura Technology, Inc
Provisioning Server Root Authority 1
SPA
Signs SPA
Client Certificates
VoIP Service Provider
Provisioning Server Entity
Signs Provisioning
Server Certificates
PKEY CERT
PKEYCERT
CERTPKEY
CERT PKEY
SPA Firmware Load
Root CA
Certificate List
Compiled into
SPA Firmware
HTTPS Server Configuration Files
Root CA
Certificate List
Stored on Service Provider’s
Provisioning Server
Authenticates Server
in HTTPS Connection
Authenticates Client
in HTTPS Connection
SPA Provisioning Server
SPA Configuration-Provisioning Certificate Chain
This manual suits for next models
13
Table of contents
Other Linksys Telephone System manuals
Popular Telephone System manuals by other brands
Orchid Telecom
Orchid Telecom PBX308+ Quick start user guide
Panasonic
Panasonic KX-TDE200AL Brochure & specs
Lucent Technologies
Lucent Technologies MERLIN LEGEND Release 5.0 System programming and maintenance
AT&T
AT&T Synapse SB67040 user guide
Panasonic
Panasonic KX-T2375MXW Service manual
LG
LG Aria-24IP user guide
